TrickBot Bolsters Its Backdoor to Access AnchorMail
Table of Contents
- By David Lukic
- Published: Mar 02, 2022
- Last Updated: Mar 18, 2022
The malware collective that goes by the name of "TrickBot" is in the news once again. The malware gang has enhanced its AnchorDNS for AnchorMail. The AnchorDNS is important as it serves as a clandestine backdoor entryway. Let's take a closer look at what these technical terms really mean and why the malware gang's latest upgrade is important.
What is TrickBot all About?
The TrickBot team was rumored to have disbanded in recent months. However, those in charge of the malware collective are still hard at work, attempting to improve their digital attack arsenal. The group's attacks transmit Conti ransomware to target computers and networks.
Who Discovered the new AnchorDNS Backdoor?
Sources indicate it is the IBM Security X-Force digital security specialists who first identified the revised version of the TrickBot team's AnchorDNS backdoor. The enhanced version is referred to as AnchorMail. AnchorMail relies on an email-based server for communications through IMAP and SMTP protocols across TLS. Charlotte Hammond, a reverse malware engineer with IBM, indicates AnchorMail functions similar to the prior version of AnchorDNS but for the alteration of the overarching communication tool referred to as "C2".
Why are Digital Security Professionals Worried About the new TrickBot Variation?
The cybercriminals responsible for TrickBot go by the monikers of ITG23 and Wizard Spider. These cyber miscreants have gone to great lengths to develop a complex Anchor malware framework along with a backdoor that zeroes in on victims with a considerable financial net worth. The hacking collective has victimized businesses and other wealthy individuals dating back four years, using TrickBot along with BazarBackdoor and additional implants.
ITG23 also alarms digital security specialists as the group has worked in tandem with the Conti ransomware collective in previous years. The two teamed up to develop TrickBot and BazarLoader for the transmission of payloads that allow for entry into target computing systems to deploy malware characterized by data encryption.
If digital security professionals are correct, Conti has obtained full ownership over TrickBot. However, it is also worth noting actors running TrickBot shut down the Conti botnet infrastructure after the group supposedly acquired TrickBot. As a result, digital security experts insist Conti will likely shift its focus to developing more discrete malware, including the likes of BazarBackdoor.
What is the Role of AnchorDNS?
AnchorDNS has evolved amidst the developments detailed above. The AnchorDNS backdoor has undergone extensive revisions. The newer version of AnchorDNS uses uniquely developed email messages as opposed to DNS protocol manipulation to bypass cyber defenses.
AnchorMail has advanced to the point that it relies on encrypted SMTPS protocols to transmit information to C2. Additionally, the malware uses scheduled tasks that are triggered every 10 minutes or so to target victims continuously. The scheduled tasks are completed with a contact of the C2 server to obtain and execute commands for operation. Such commands include implementing shellcode and binaries obtained through the remote server, spur PowerShell commands, and ultimately eradicating itself from the system in question. The bottom line is the new Anchor is cause for concern as it constitutes a secretive backdoor that facilitates potentially debilitating ransomware attacks.
